SAP on AWS Planning
If you are an experienced SAP Basis or SAP NetWeaver administrator, there are a number of AWS-specific considerations relating to compute configurations, storage, security, management, and monitoring that will help you get the most out of your SAP environment on AWS. This section provides guidelines for achieving optimal performance, availability, and reliability, and lower total cost of ownership (TCO) while running SAP solutions on AWS.
SAP Notes
Before migrating or implementing an SAP environment on AWS, you should read and
follow the relevant SAP notes. Start from SAP Note 1656099
SAP on AWS Architectures
This section describes the two primary architectural patterns for SAP on AWS: all systems on AWS and hybrid.
All-on-AWS Architecture
With the SAP All-on-AWS architecture, all systems and components of your SAP environment are hosted on AWS. Example scenarios of such an architecture include:
-
Implementation of a complete, new SAP environment on AWS
-
Migration of a complete, existing SAP environment to AWS
Figure 3 depicts an SAP all-on-AWS architecture. The SAP environment running on AWS is integrated with on-premises systems and users via a VPN connection or a dedicated network connection via AWS Direct Connect. SAProuter is deployed in a public subnet and assigned a public IP address that is reachable from the internet to enable integration with the SAP OSS network via a secure network communications (SNC) connection. A network address translation (NAT) gateway enables instances in the private subnet to connect to the internet or other AWS services, but prevents instances from receiving inbound traffic that is initiated by someone on the internet. For additional information, see the Configuring Network and Connectivity section.
Figure 3: SAP all-on-AWS architecture
Hybrid AWS Architecture
With an SAP hybrid AWS architecture, some SAP systems and components are hosted on your on-premises infrastructure and others are hosted on the AWS infrastructure. Example scenarios of such an architecture include:
-
Running SAP test, trial, training, proof-of-concept (PoC), and similar systems on AWS
-
Running non-production SAP landscapes (for example, DEV and QAS) on AWS, integrated with an SAP production landscape running on premises
-
Implementing a new SAP application on AWS and integrating it with an existing SAP on-premises environment
Figure 4 depicts an SAP hybrid AWS architecture with SAP DEV and QAS landscapes and SAP test, training, and PoC systems running on AWS. These systems are integrated with SAP systems and users on the corporate network. Connectivity between the VPC and the corporate network is provided with either a VPN connection or an AWS Direct Connect connection. The existing SAProuter and SAP Solution Manager running on the corporate network are used to manage the SAP systems running within the VPC.
Figure 4: SAP hybrid AWS architecture
Choosing an AWS Region and Availability Zone
See the AWS Global Infrastructure section of this guide for information about AWS Regions and Availability Zones.
Choosing a Region
When choosing the AWS Region to deploy your SAP environment in, consider the following factors:
-
Proximity to your on-premises data center(s), systems, and end users to minimize network latency.
-
Data residency and regulatory compliance requirements.
-
Availability of the AWS products and services you plan to use in the region. For a detailed list of AWS products and services by region, see the Region Table
on the AWS website. -
Availability of the EC2 instance types you plan to use in the region. To view AWS Region availability for a specific instance type, see the Amazon EC2 Instance Types for SAP
webpage.
Choosing an Availability Zone
No special considerations are required when choosing an Availability Zone for your SAP deployment on AWS. All SAP applications (SAP ERP, CRM, SRM, and so on) and systems (SAP database system, SAP Central Services system, and SAP application servers) should be deployed in the same Availability Zone. If high availability (HA) is a requirement, use multiple Availability Zones. For more information, see Architecture guidance for availability and reliability of SAP on AWS.
Network and Connectivity
Amazon VPC
Amazon VPC enables you to define a virtual network in your own, logically isolated area within the AWS Cloud. You can launch your AWS resources, such as instances, into your VPC. Your VPC closely resembles a traditional network that you might operate in your own data center, with the benefits of using the AWS scalable infrastructure. You can configure your VPC; you can select its IP address range, create subnets, and configure route tables, network gateways, and security settings. You can connect instances in your VPC to the internet. You can connect your VPC to your own corporate data center, and make the AWS Cloud an extension of your data center. To protect the resources in each subnet, you can use multiple layers of security, including security groups and network access control lists. For more information, see the Amazon VPC User Guide.
For detailed instructions for setting up and configuring a VPC, and connectivity between your network and VPC, see the Amazon VPC documentation.
Network Connectivity Options
Multiple options are available to provide network connectivity between your on-premises users and systems with your SAP systems running on AWS, including a direct internet connection, hardware VPN, and private network connection.
Private Network Connection
AWS Direct Connect
Use cases: Recommended for customers who require greater bandwidth and lower latency than possible with a hardware VPN.
For more information, see Amazon Virtual Private Cloud Cloud Connectivity Options.
Direct Internet Connection
The quickest and simplest way to connect to your SAP systems running on AWS involves using a VPC with a single public subnet and an internet gateway to enable communication over the internet. For additional information, see Scenario 1: VPC with a Public Subnet Only in the Amazon VPC User Guide.
Use cases: Most suitable for SAP demo, training, and test type systems that do not contain sensitive data.
Site-to-Site / Hardware VPN
AWS Site-to-Site VPN
Use cases: Recommended for any SAP environments on AWS that require integration with on-premises users and systems.
Client VPN
AWS Client VPN
Use cases: Provides quick and easy connectivity to your remote workforce and business partners.
Following Security Best Practices
In order to provide end-to-end security and end-to-end privacy, AWS builds services in accordance with security best practices, provides appropriate security features in those services, and documents how to use those features. In addition, AWS customers must use those features and best practices to architect an appropriately secure application environment. Enabling customers to ensure the confidentiality, integrity, and availability of their data is of the utmost importance to AWS, as is maintaining trust and confidence.
Shared Responsibility Environment
There is a shared responsibility model between you as the customer and AWS. AWS
operates, manages, and controls the components from the host operating system and
virtualization layer down to the physical security of the facilities in which the services
operate. In turn, you assume responsibility and management of the guest operating system
(including updates and security patches), other associated application software, Amazon VPC
setup and configuration, as well as the configuration of the AWS-provided security group
firewall. For additional information on AWS security, visit the AWS Cloud Security
Amazon VPC
The foundation for security of an SAP environment on AWS is the use of Amazon VPC for providing the overall isolation. Amazon VPC includes security details that you must set up to enable proper access and restrictions for your resources. Amazon VPC provides features that you can use to help increase and monitor the security for your VPC:
-
Security groups act as a firewall for associated EC2 instances, controlling both inbound and outbound traffic at the instance level.
-
Network access control lists (ACLs) act as a firewall for associated subnets, controlling both inbound and outbound traffic at the subnet level.
-
Route tables consist of a set of rules, called routes, that determine where network traffic is directed. Each subnet in your VPC must be associated with a route table; the table controls the routing for the subnet.
-
Flow logs capture information about the IP traffic going to and from network interfaces in your VPC.
For detailed documentation about how to set up and manage security within a VPC, see the Security section of the Amazon VPC User Guide.
EC2 Instance Types for SAP
Amazon EC2 provides a wide selection of instance types optimized to fit different use cases. Instance types comprise varying combinations of CPU, memory, storage, and networking capacity and give you the flexibility to choose the appropriate mix of resources for your applications. Each instance type includes one or more instance sizes, allowing you to scale your resources to the requirements of your target workload.
SAP systems deployed on AWS that will require support from SAP must be run on an EC2 instance type that has been certified with SAP. This section describes where you can find details about the EC2 instance types that have been certified with SAP and additional information for specific SAP solutions.
SAP NetWeaver-based Solutions
SAP solutions based on the SAP NetWeaver platform and that use SAP Application Performance Standard
(SAPS)
SAP HANA
The SAP HANA platform and SAP solutions that run on top of an SAP HANA database—for example, SAP Suite on HANA, SAP S/4HANA, SAP Business Warehouse (BW) on HANA, SAP BW/4HANA— require specific EC2 instance types that have been certified for SAP HANA. For more information, see Amazon EC2 instance types for SAP on AWS.
SAP Business One, version for SAP HANA
For information about the EC2 instance types that are certified for SAP Business One, version for SAP HANA, see:
Operating Systems
Supported Operating Systems
EC2 instances run on 64-bit virtual processors based on the Intel x86 instruction set. The following 64-bit operating systems and versions are available and supported for SAP solutions on AWS.
For additional information regarding SAP-supported operating systems on AWS, see
SAP Note 1656250
SLES for SAP and RHEL for SAP
SUSE and Red Hat offer SAP-specific versions of their operating systems that provide the following benefits:
-
Configuration and tuning for SAP
-
Extended release support
-
High availability extension for SAP
-
Dedicated support channel
Note
Because of these benefits, we strongly recommend using SLES for SAP or RHEL for SAP with High Availability (HA) and Update Services (US) for your SAP on AWS deployments.
To learn more about SUSE’s and Red Hat’s operating system versions for SAP, see the following information on the SLES and Red Hat websites.
SLES for SAP
RHEL for SAP
Operating System Licenses
These operating system licensing options are available for SAP systems on AWS:
-
On-demand – The operating system software and license are bundled in an Amazon Machine Images (AMI). The fee for the operating system license is included in the On-Demand Instance hourly fee or Reserved Instance fee for the instance type.
-
Bring Your Own License/Subscription (BYOL) – Bring your existing operating system license or subscription to the AWS Cloud.
-
AWS Marketplace – Purchase operating system licenses and subscriptions from AWS Marketplace.
The following table lists the licensing options available for each operating system and version. To learn more about each option, follow the link in the table.
Operating system | License/subscription options |
---|---|
SLES | On-demand | BYOL |
SLES for SAP | AWS Marketplace |
RHEL | On-demand | BYOL |
RHEL for SAP with HA and US | AWS
Marketplace |
Windows | On-demand | BYOL |
Oracle Linux | BYOL |
Databases
Supported Databases
All the database platforms and versions supported by SAP for an on-premises
infrastructure are also supported by SAP on AWS. For details about the databases
supported with specific SAP solutions on AWS, see SAP Note 1656099
Database Installation and Administration
Customer-Managed Database on Amazon EC2
The majority of SAP solutions use a customer-managed model on Amazon EC2. Installation, configuration, administration, and backup and recovery of the database are done by either the customer or a partner.
The following SAP solutions use a self-managed database model on Amazon EC2:
-
SAP Business Suite and SAP NetWeaver-based applications
-
SAP HANA
-
SAP S/4HANA
-
SAP BW/4HANA
-
SAP BusinessObjects BI
-
SAP Business One
Amazon RDS
Amazon Relational Database Service (Amazon RDS)
-
SAP BusinessObjects BI
-
SAP Commerce (previously known as SAP Hybris Commerce)
Amazon Aurora
Amazon Aurora (Aurora)
-
SAP Commerce (previously known as SAP Hybris Commerce)
Database Licenses
These database licensing options are available for SAP systems on AWS:
-
On-demand – The database software and license are bundled in an Amazon Machine Image (AMI). The fee for the database license is included in the On-Demand Instance hourly fee or Reserved Instance fee for the instance type.
-
Bring Your Own License (BYOL) – Bring your existing database licenses to the AWS Cloud.
-
AWS Marketplace – Purchase database software and licenses from AWS Marketplace.
The following table lists the licensing options available on AWS for each database. For additional information, follow the links in the Licensing options column.
* SQL Server runtime licenses purchased from SAP require either Microsoft Software Assurance or Amazon EC2 Dedicated Hosts to bring these licenses to AWS. For additional information, see:
SAP Installation Media
The majority of SAP solutions on AWS use a bring-your-own-software model. There are two primary options for copying SAP installation media to AWS:
-
Download from the SAP Software Download Center to Amazon EC2. From your EC2 instance, connect to the SAP Software Download Center
and download the required installation media. This option will most likely be the fastest method for getting SAP installation media to AWS, because EC2 instances have very fast connections to the internet. You can create a dedicated Amazon EBS volume to store installation media, and then attach the volume to different instances as needed. You can also create a snapshot of the Amazon EBS volume and create multiple volumes that you can attach to multiple instances in parallel. -
Copy from your network to Amazon EC2. If you already have the required SAP installation media downloaded to a location on your network, you can copy the media from your network directly to an EC2 instance.